Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58898 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51979 invoked from network); 12 Mar 2012 21:58:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Mar 2012 21:58:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.182 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 209.85.212.182 mail-wi0-f182.google.com Received: from [209.85.212.182] ([209.85.212.182:45792] helo=mail-wi0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7F/C7-13375-C817E5F4 for ; Mon, 12 Mar 2012 16:58:37 -0500 Received: by wibhr14 with SMTP id hr14so4134351wib.11 for ; Mon, 12 Mar 2012 14:58:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=uIUgNUxKMWbPr0V0jUjSVZIwQh5OG4J3WieO5sXSKsI=; b=z/jG5B4gOa39B6L6Kjgf2n1AoE2OAkx7GbNUEdkyOH4rUvIjMe6qDP/uS0YDYxO8Yq ZZmnrnX7Sls698DIllkgoKbSdV1kMxDH/O6TftAGyeHyngj3gEf3SKG9+ctasBeJFgVE VEwqotldou2gF6fwEVl9NLPXrrntuxqjt4pJU3pVsi7brd2n2WVlG6H73B+oMpqsOAK7 JY4HfYTECFSZEFC3f+jP4BPFAWvk98M+TLDGKlHIJe2ZdmY4gnXAUJcS496UAbSNzEwk SO7oSkq6/dZqO65ux7/d6PiOzV3vXZM3CltKzhACgyl+l8UKSRCKUSsByaulcrnVaDfY mi4A== Received: by 10.216.139.140 with SMTP id c12mr7365821wej.43.1331589513763; Mon, 12 Mar 2012 14:58:33 -0700 (PDT) Received: from [192.168.1.26] (60.Red-83-41-228.dynamicIP.rima-tde.net. [83.41.228.60]) by mx.google.com with ESMTPS id o2sm40765278wiv.11.2012.03.12.14.58.32 (version=SSLv3 cipher=OTHER); Mon, 12 Mar 2012 14:58:32 -0700 (PDT) Message-ID: <4F5E7186.7060303@gmail.com> Date: Mon, 12 Mar 2012 22:58:30 +0100 User-Agent: Thunderbird MIME-Version: 1.0 To: Richard Lynch CC: internals@lists.php.net References: <4F5C5540.8010204@sugarcrm.com> <4F5D3569.8050307@sugarcrm.com> <8d17c1162ecbe11172e4f09630200c17.squirrel@www.l-i-e.com> In-Reply-To: <8d17c1162ecbe11172e4f09630200c17.squirrel@www.l-i-e.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] CURL file posting From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) On 12/03/12 20:36, Richard Lynch wrote: > On Sun, March 11, 2012 6:29 pm, Stas Malyshev wrote: >> This doesn't look good. Documentation does say the @ prefix exists, >> but >> it has very high potential of creating security holes for unsuspecting >> people. open_basedir would help limit the impact, but still it's not a >> good thing. Any ideas on fixing it without breaking the BC? > Ouch. > > Issue an E_NOTICE when it happens? > > Add a new CURLOPT_FILEFIELDS that takes an array of the parameters > that are supposed to be files, so the ones that are expected to have > "@..." do not fire the E_NOTICE. > > Issuing E_NOTICE is a BC, I suppose, but you'd think people would > appreciate an alert about a potential security threat... That would only trigger the notice when you transfer data beginning with an @, which would end up being only when finally attacked. I'd make it need another option to make @ options work (eg. CURLOPT_AT_TRANSFERS_FILES) which default to false. Similar to SO_BROADCAST, where binding a socket to a broadcast address is not enough to send the packets there. It *is* a BC break, but the current API is badly provided. I don't see a way to work around that. A one-line fix to get the previous not-too-used(?) behavior back seems as good as can be achieved. It is also possible to make a completely new option API without those problems, and deprecate the old one, but that's still a BC break.